Attacks and Vulnerabilities
CISA
Critical infrastructure
ICS Security Framework
Identity and Access Management (IAM)
Industries
Management & Strategy
Medical
News
Perimeter security
Regulation, Standards and Compliance
Risk & Compliance
System Design & Architecture
Technology & Solutions

Security flaws found in Boston Scientific’s Zoom Latitude used in healthcare, public health

October 04, 2021
Zoom Latitude

The Cybersecurity and Infrastructure Security Agency (CISA) warned of the presence of several security vulnerabilities in Boston Scientific’s Zoom Latitude Programmer/Recorder/Monitor (PRM) Model 3120 equipment deployed globally across the healthcare and public health sectors. These security loopholes include the use of password hash with insufficient computational effort, missing protection against hardware reverse engineering using integrated circuit (IC) imaging techniques, improper access control, missing support for integrity check, and reliance on software components that cannot be updated.

The exploitation of these vulnerabilities may allow an attacker with physical access to the affected device to obtain patient-protected health information (PHI), and/or compromise the integrity of the device, CISA said in its ICS Medical Advisory. The affected device is not network connected and does not contain hardware to be network connected.

CISA noted that these issues were discovered by Endres Puschner – Max Planck Institute for Security and Privacy, Bochum, Christoph Saatjohann – FH Münster University of Applied Sciences, Christian Dresen – FH Münster University of Applied Sciences, and Markus Willing – University of Muenster, as part of broader academic research of cardiac devices and reported them to Boston Scientific.

The Zoom Latitude PRM Model 3120 equipment consists of portable cardiac rhythm management systems, which are used to communicate with implanted pacemakers and defibrillators.

An attacker with physical access to the Zoom Latitude Model 3120 equipment can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password, CISA warned. In addition, a hacker with physical access to the device can extract the binary that checks for the hardware key and reverse engineer it, which could be used to create a physical duplicate of a valid hardware key. The hardware key allows access to special settings when inserted.

CISA also detected that a skilled attacker with physical access to the Zoom Latitude equipment can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world. Besides, the programmer installation utility does not perform cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB.

The Zoom Latitude equipment also uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities.

The CISA advisory said that Boston Scientific is in the process of transitioning all users to the Latitude Programming System Model 3300, which will act as a replacement programmer with enhanced security. Boston Scientific will not issue a product update to address the identified vulnerabilities in the Zoom Latitude Model 3120.

To reduce the risk of exploitation, Boston Scientific recommends those still utilizing the Zoom Latitude PRM Model 3120 implement control access to the device and ensure all access is properly inventoried, maintain the device in a secure or locked location when not in use, and remove PHI prior to retiring or removing the device from the facility. Instructions for removing PHI are outlined in the operator’s manual. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

In October 2017, CISA had issued an advisory on the detection of two vulnerabilities in Boston Scientific Zoom Latitude Model 3120. The vulnerabilities were not remotely exploitable and require physical access, which can be hacked into by an attacker with low skill. The security agency identified that exploitation of these vulnerabilities may allow an attacker with physical access to obtain PHI.

Several security vulnerabilities were also identified in July in Philips Vue PACS equipment deployed globally in the healthcare and public health sectors. These vulnerabilities can be exploited remotely and allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity, negatively impacting the confidentiality, integrity, or availability of the system.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market